[Devel] [PATCH RHEL7 COMMIT] ve/kmod: Add rules for new {ip, ip6, x}table modules

[Konstantin Khorenko]

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at 
https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.7
------>
commit d2e9d1ba7e3acc37c18ae91a11df1fb5bba2972c
Author: Kirill Tkhai <ktk...@odin.com>
Date:   Fri May 29 12:02:00 2015 +0400

    ve/kmod: Add rules for new {ip, ip6, x}table modules
    
    Here are the modules, which need extended permissions
    (see module_payload_allowed() for details).
    
    https://jira.sw.ru/browse/PSBM-33631
    
    Signed-off-by: Kirill Tkhai <ktk...@odin.com>
    Reviewed-by: Cyrill Gorcunov <gorcu...@odin.com>
---
 kernel/kmod.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/kernel/kmod.c b/kernel/kmod.c
index 2daabea..04948ee 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -211,6 +211,7 @@ static struct {
        { "iptable_nat",        VE_IP_NAT       },
        { "iptable_mangle",     VE_IP_MANGLE    },
        { "ip6table_filter",    VE_IP_FILTER6   },
+       { "ip6table_nat",       VE_IP_NAT       },
        { "ip6table_mangle",    VE_IP_MANGLE6   },
 
        { "xt_CONNMARK",        VE_NF_CONNTRACK|VE_IP_CONNTRACK },
@@ -225,6 +226,8 @@ static struct {
        { "xt_state",           VE_NF_CONNTRACK|VE_IP_CONNTRACK },
        { "xt_socket",          VE_NF_CONNTRACK|VE_IP_CONNTRACK|
                                VE_IP_IPTABLES6                 },
+       { "xt_connlabel",       VE_NF_CONNTRACK|VE_IP_CONNTRACK|
+                               VE_IP_IPTABLES6                 },
 
        { "ipt_CLUSTERIP",      VE_NF_CONNTRACK|VE_IP_CONNTRACK },
        { "ipt_CONNMARK",       VE_NF_CONNTRACK|VE_IP_CONNTRACK },
@@ -245,6 +248,9 @@ static struct {
                                VE_IP_NAT                       },
        { "ipt_REDIRECT",       VE_NF_CONNTRACK|VE_IP_CONNTRACK|
                                VE_IP_NAT                       },
+       { "ipt_connlabel",      VE_NF_CONNTRACK|VE_IP_CONNTRACK|
+                               VE_IP_IPTABLES6                 },
+       { "ipt_SYNPROXY",       VE_NF_CONNTRACK|VE_IP_CONNTRACK },
 
        { "ip6t_CONNMARK",      VE_NF_CONNTRACK|VE_IP_CONNTRACK },
        { "ip6t_CONNSECMARK",   VE_NF_CONNTRACK|VE_IP_CONNTRACK },
@@ -258,6 +264,13 @@ static struct {
        { "ip6t_state",         VE_NF_CONNTRACK|VE_IP_CONNTRACK },
        { "ip6t_socket",        VE_NF_CONNTRACK|VE_IP_CONNTRACK|
                                VE_IP_IPTABLES6                 },
+       { "ip6t_MASQUERADE",    VE_NF_CONNTRACK|VE_IP_CONNTRACK|
+                               VE_IP_NAT|VE_IP_IPTABLES6       },
+       { "ip6t_connlabel",     VE_NF_CONNTRACK|VE_IP_CONNTRACK|
+                               VE_IP_IPTABLES6                 },
+       { "ip6t_SYNPROXY",      VE_NF_CONNTRACK|VE_IP_CONNTRACK|
+                               VE_IP_IPTABLES6                 },
+
        { "nf-nat-ipv4",        VE_NF_CONNTRACK|VE_IP_CONNTRACK|
                                VE_IP_NAT                       },
        { "nf-nat",             VE_NF_CONNTRACK|VE_IP_CONNTRACK|
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel